README
¶
This project uses the database plugin interface introduced in Vault version 0.7.1.
Build
Pre-built binaries for Linux, macOS and Windows can be found at the releases page.
For other platforms, there are not currently pre-built binaries available.
To build, git clone this repository and go build -o vault-plugin-database-aerospike ./plugin from the project directory.
Installation
The Vault plugin system is documented on the Vault documentation site.
You will need to define a plugin directory using the plugin_directory configuration directive, then place the vault-plugin-database-aerospike executable downloaded/generated above in the directory.
Sample commands for registering and starting to use the plugin:
$ vault write sys/plugins/catalog/database/aerospike-database-plugin \
sha256=$(openssl sha256 < vault-plugin-database-aerospike) \
command="vault-plugin-database-aerospike"
Success! Data written to: sys/plugins/catalog/database/aerospike-database-plugin
$ vault secrets enable database
Success! Enabled the database secrets engine at: database/
# host follows the same convention used by the Aerospike command line tools (asadm, asinfo, ...)
# The syntax is "<host1>[:<tlsname1>][:<port1>],..."
$ vault write database/config/aerospike \
plugin_name=aerospike-database-plugin \
allowed_roles="*" \
host=url.to.aerospike.db:3443 \
username='vaultadmin' \
password='reallysecurepassword'
# You should consider rotating the admin password.
# Note that if you do, the new password will never be made available through Vault,
# so you should create a vault-specific database admin user for this.
$ vault write -force database/rotate-root/aerospike
Success! Data written to: database/rotate-root/aerospike
If running the plugin on macOS you may run into an issue where the OS prevents it from being executed. See How to open an app that hasn't been notarized or is from an unidentified developer on Apple's support website to be able to run this.
Usage
Statements
The creation statements are defined as a JSON blob that has a an array of roles.
JSON example:
{ "roles": ["read", "user-admin"] }
Roles
Dynamic role
Sample commands for creating a dynamic role and generating credentials for it:
$ vault write database/roles/as-reader \
db_name=aerospike \
creation_statements='{"roles":["read"]}' \
default_ttl=1h \
max_ttl=24h
Success! Data written to: database/roles/as-reader
$ vault read database/creds/as-reader
Key Value
--- -----
lease_id database/creds/as-reader/sCKFOMxr3bKx0MSyV2O9vOIt
lease_duration 1h
lease_renewable true
password A1a-IMCI3TGEyZWDmiyn
username v-token-as-reader-yYbN28OzeWbw1e4r5Ayr-1602523665
Static role
Sample commands for creating a static role and reading its current credentials (the user needs to already exist in Aerospike):
$ vault write database/static-roles/as-rwuser \
db_name=aerospike \
username=rwuser \
rotation_period=1h
Success! Data written to: database/static-roles/as-rwuser
$ vault read database/static-creds/as-rwuser
Key Value
--- -----
last_vault_rotation 2020-10-12T18:03:01.4751843Z
password A1a-tZqNXpivBu6dfATJ
rotation_period 1h
ttl 59m45s
username rwuser
TLS config
To enable TLS, you must set the tls_ca config parameter to a PEM representation of the CA that issued the Aerospike server certificate. If the name to use to validate the server certificate differs from the hostname used to access the server, you need to specify it in the host config parameter triplet.
TLS Example:
$ vault write database/config/aerospike \
plugin_name=aerospike-database-plugin \
allowed_roles="*" \
host=url.to.aerospike.db:tls_server_name:3443 \
tls_ca=$(cat rootCA.pem) \
username='vaultadmin' \
password='reallysecurepassword'
Mutual TLS is enabled by setting the tls_certificate_key config parameter to a PEM representation of the client certificate and the unencrypted private key.
Mutual TLS Example:
$ vault write database/config/aerospike \
plugin_name=aerospike-database-plugin \
allowed_roles="*" \
host=url.to.aerospike.db:tls_server_name:3443 \
tls_ca=$(cat rootCA.crt) \
tls_certificate_key=$(cat client.crt client.key) \
username='vaultadmin' \
password='reallysecurepassword'
Documentation
¶
Overview ¶
Package aerospike implements a Vault database plugin for Aeropike.
Index ¶
- func New() (interface{}, error)
- func Run(apiTLSConfig *api.TLSConfig) error
- type Aerospike
- func (c Aerospike) Close() error
- func (c Aerospike) Connection(ctx context.Context) (interface{}, error)
- func (a *Aerospike) CreateUser(ctx context.Context, statements dbplugin.Statements, ...) (username string, password string, err error)
- func (c Aerospike) Init(ctx context.Context, conf map[string]interface{}, verifyConnection bool) (map[string]interface{}, error)
- func (c Aerospike) Initialize(ctx context.Context, conf map[string]interface{}, verifyConnection bool) error
- func (a *Aerospike) RenewUser(ctx context.Context, statements dbplugin.Statements, username string, ...) error
- func (a *Aerospike) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error
- func (a *Aerospike) RotateRootCredentials(ctx context.Context, statements []string) (map[string]interface{}, error)
- func (a *Aerospike) SetCredentials(ctx context.Context, statements dbplugin.Statements, ...) (username, password string, err error)
- func (a *Aerospike) Type() (string, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Aerospike ¶
type Aerospike struct {
credsutil.CredentialsProducer
// contains filtered or unexported fields
}
Aerospike is an implementation of Database interface.
func (Aerospike) Connection ¶
Connection creates or returns an existing a database connection. If the session fails on a ping check, the session will be closed and then re-created. This method does not lock the mutex and it is intended that this is the callers responsibility.
func (*Aerospike) CreateUser ¶
func (a *Aerospike) CreateUser(ctx context.Context, statements dbplugin.Statements, usernameConfig dbplugin.UsernameConfig, expiration time.Time) (username string, password string, err error)
CreateUser generates the username/password on the underlying Aerospike secret backend as instructed by the CreationStatement provided. The creation statement is a JSON blob that has a an array of roles.
JSON Example:
{ roles": ["read", "user-admin"] }
func (Aerospike) Init ¶
func (c Aerospike) Init(ctx context.Context, conf map[string]interface{}, verifyConnection bool) (map[string]interface{}, error)
Initialize parses connection configuration.
func (Aerospike) Initialize ¶
func (*Aerospike) RenewUser ¶
func (a *Aerospike) RenewUser(ctx context.Context, statements dbplugin.Statements, username string, expiration time.Time) error
RenewUser is not supported on Aerospike, so this is a no-op.
func (*Aerospike) RevokeUser ¶
func (a *Aerospike) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error
RevokeUser drops the specified user.
func (*Aerospike) RotateRootCredentials ¶
func (a *Aerospike) RotateRootCredentials(ctx context.Context, statements []string) (map[string]interface{}, error)
RotateRootCredentials rotates the initial root database credentials. The new root password will only be known by Vault.
func (*Aerospike) SetCredentials ¶
func (a *Aerospike) SetCredentials(ctx context.Context, statements dbplugin.Statements, staticUser dbplugin.StaticUserConfig) (username, password string, err error)
SetCredentials uses provided information to set/create a user in the database. Unlike CreateUser, this method requires a username be provided and uses the name given, instead of generating a name. This is used for creating and setting the password of static accounts, as well as rolling back passwords in the database in the event an updated database fails to save in Vault's storage.
Source Files
Directories